Retrieve account ID

Retrieve your account ID, as shown in the image below:

Activate RAM

Resource Access Management (RAM) is an Alibaba Cloud service designed for controlling resource access. By creating a policy, you can create a shared read account. Users can use this account to log on to the FTP tool and read your files.

Create an authorization policy

After activating RAM, go to the RAM console and click “Policies” on the left side. Follow the steps shown in the diagram below to create a new authorization policy:

Enter the authorization policy as shown below:

Specify policy name and remarks (fields 1 and 2) as needed. “Policy content” in field 3 determines the policy.

{

"Version":"1",

"Statement":[

{

"Action":[

"oss:GetObject",

"oss:HeadObject"

],

"Resource":[

"acs:oss:*:****************:test-hz-john-001/*"

],

"Effect":"Allow"

},

{

"Action":[

"oss:ListObjects",

"oss:GetBucketAcl",

"oss:GetBucketLocation"

],

"Resource":[

"acs:oss:*:****************:test-hz-john-001"

],

"Effect":"Allow"

},

{

"Action":[

"oss:ListBuckets"

],

"Resource":[

"acs:oss:*:****************:*"

],

"Effect":"Allow"

}

]

}

In the example above, replace **************** with your own account ID and replace test-hz-john-001 with your bucket name. Then, copy all the content and paste it in “Policy content”. Finally, click “New Authorization Policy”.

Create an account

The above authorization policy produces a read-only policy. Below, we will create an account and grant this policy to the account. Follow these steps to create an account:

Remember to record the new account’s access_key.

Authorize the account

Below, we will grant the new policy to the account.

Log on with the sub-account

Use the sub-account’s access_key and the bucket in the authorization policy to log on. Now, you can download files and folders, but upload operations will fail.